India's technology sector is valued at over $200 billion, but its cybersecurity policy has not kept pace with its technological growth. The national cybersecurity strategy has not been updated since 2013, and its cyber policy agencies are still in their early stages. This essay analyzes India's cyberspace strategy and proposes key policies for the government to prioritize. It argues that India's current cyber defenses are insufficient for protecting its socio-economic institutions. Therefore, it recommends the adoption of a deterrence-by-denial cybersecurity strategy to comprehensively update India's defensive cyberspace infrastructure, making cyber-attacks prohibitively costly. The essay consists of four sections: a framework for understanding cyber operations, the importance of a defensive cyber policy, an evaluation of policy implementation, and a summary of the paper's arguments.
Cyber Operations: A Conceptual Framework
Cyber operations can be categorized as offensive or defensive. The offensive use of cyber weapons starts with espionage operations where a nation/non-state actor gains access to foreign networks to obtain the target’s data.1 These cyber espionage operations can acquire a more destructive characteristic when access to the target’s network is used to destroy and manipulate information. Benjamin Buchanan classifies these operations as ‘cyber-attacks’.2 These attacks have also broadened to include a new category of cyber ‘influence’ operations that manipulates public information and social media to sow discord. On the other side of the spectrum, defensive cyber operations involve using passive measures to create barriers and safeguards against illicit network intrusions. At the most basic level, it could include adding password protection to a network and can scale to using sophisticated encryption standards which makes stolen data incomprehensible. Defensive cyber operations now use more active measures against hostile actors. The most notable expression of this development is the U.S.’ Defend Forward Strategy. Simply, it seeks to track malicious cyber actors and stop potential attacks at the source, before they can enter U.S. networks.
Determining India’s Cyber Security Objectives:
India's most urgent cyberspace priority should be improving its cyber defenses, as its 2013 cybersecurity strategy has failed to protect against malicious cyber actors. In 2020, China created a blackout in India’s financial capital Mumbai during its border standoff with Indian forces. A year earlier, one of the country’s largest nuclear power plants was hacked, compromising data on its schematics and operations. Most alarmingly, the 2018 data breach of the national identity database was one of the largest ever recorded, exposing information on 1.1 billion citizens. India’s cybersecurity limitations are reflected in MIT’s Cyber Defense Index, where it ranks 17th out of the world’s 20 largest digital economies.
To address these flaws, India should consider a new deterrence-by-denial approach to cybersecurity, by building a comprehensive and integrated defense system. Deterrence-by-Denial is a strategy where a state creates defensive measures to convince an adversary that their attacks would fail or incur heavy costs. Implementing such a strategy could improve India’s cybersecurity by making attacks against its networks very expensive, disincentivizing malicious cyber actors. From a strategic perspective, defensive measures are non-threatening because they cannot be used for offensive operations. Consequently, they are unlikely to increase tensions with India’s main cyber adversaries - Pakistan and China. Such an approach is preferable to offensive alternatives because the lack of a defensive cover makes India’s offensive cyber operations vulnerable to retaliation. Here, it should be noted that stronger cyber defenses will not stop all cyber-attacks - hackers have breached countries with sophisticated cybersecurity systems. However, as the cases mentioned above have demonstrated, the barriers toward entering India’s cyberspace are set too low.
Implementing a Deterrence-by-Denial Cybersecurity Strategy
Instead of advanced technical measures, implementing a deterrence-by-denial strategy requires fixing the structural problems in India’s cyber defense policy. Currently, there are several such flaws in India's cybersecurity policy, reducing the efficacy of its cyber defenses. Solving these problems is an important first step toward creating a stronger cyber defensive network. Four issues, in particular, stand out:
Coordination
Two organizations in different parts of the federal government manage the nation’s cyber defenses. The Cyber Emergency Response Team - India (CERT-In) in the Ministry of Electronics is the nation’s primary cybersecurity agency. However, in 2013 the government created a separate organization under the Prime Minister’s Office to manage critical infrastructure - NCIIPC. This has created a coordination problem because both agencies cannot easily talk to each other by virtue of being in different parts of the government. As a result, there is duplication of efforts and persistent jurisdictional problems in India's cyber defense policy. For example, both bodies publish reports on general vulnerabilities and flaws in popular commercial software. Solving this problem requires locating both organizations in a single government ministry for faster communication. Alternatively, both bodies could be integrated into one organization, following the French, American, and British approaches to cybersecurity. Not only would this significantly streamline the management of Indian cyber defenses, but it would also and prevent internal turf battles and resource disputes within the government.
Insufficient Protection of Critical Infrastructure:
NCIIPC lacks a successful track record in protecting critical infrastructure. According to some reports, it has only managed to create a strong cybersecurity system for the power sector. Moreover, at the state level, it has not provided local infrastructure authorities with adequate security standards. This has forced some states, such as Tamil Nadu, to create their own cyber defense guidelines from scratch. To address this problem, the government should publicly release a clear list of industries and assets that constitute critical infrastructure. Currently, only guidelines for determining which organizations and assets count as critical infrastructure exist. Clearly demarcating the infrastructure which qualifies under this label can set government priorities while preventing a wastage of efforts on non-critical systems. It can also generate stronger accountability standards for protecting critical infrastructure because of the higher visibility of failures.
Funding:
The government does not directly fund its cybersecurity organizations. Both CERT-In and NCIIPC receive funding from the general budget of their respective parent organizations. CERT-In, for example, has an annual budget of $27 million. In comparison, CISA receives over $2 billion annually, and France allocated $162 million in 2020 for cyber defenses. As a result, there are serious capacity issues limiting the functioning of government cyber defense agencies. As the previous sections show, cybersecurity agencies have been unable to create defenses across all their critical infrastructure sectors. The Indian government should therefore strongly consider funding cybersecurity as a separate budget line item. Here, the government could consider the Data Security Council of India's proposal of allocating 0.25 percent of the government's budget to cybersecurity. Based on 2021 spending figures, this would create a $882 million outlay, significantly higher than current spending. This funding could address capacity and talent-related problems in government cybersecurity agencies.
Talent:
Despite considerable government subsidies to India's premier technical education institutes, barely any of the graduates from these schools join the public sector. This has posed a major problem for India's cyber defenses because the country's cybersecurity institutions cannot access qualified manpower. Most STEM graduates in India prefer higher-paying jobs abroad or in the private sector. There are no easy solutions to this problem. However, a good start could be a STEM scholarship program that obligates recipients to serve in government for a set time duration. Most foreign cybersecurity and intelligence agencies, such as America's NSA and the UK's National Cyber Security Centre have adopted this approach to allure top students with considerable success. Additionally, the government also needs to reorient its approach to hiring, which is antiquated by modern standards. There is no centralized platform for advertising vacancies, while interested candidates need to physically mail their applications. Solving this problem may not directly increase the recruitment of qualified cybersecurity personnel, but it could reduce barriers to entry.
Conclusion
This essay has examined India’s cyber policy, advocating for the adoption of a deterrence-by-denial strategy aimed at building India’s cyber defenses. It has argued for a defensive strategy because the current national cyber policy has been unsuccessful in developing safeguards against dangerous cyber-attacks. As demonstrated in the previous sections, malicious cyber actors have been successful in breaching several parts of India’s critical infrastructure, including the national identity database, nuclear power stations, and financial institutions. A defensive deterrence-by-denial approach addresses this problem by raising the barriers to breaching Indian networks. The first step toward implementing this strategy is repairing several structural weaknesses within India’s current cyber policy. In this vein, the paper has suggested several measures such as the creation of independent funding for cyber security and the establishment of a unified cybersecurity agency to create the basis for stronger cyber defenses.
1 Buchanan, Ben. The hacker and the state: Cyber attacks and the new normal of geopolitics. Harvard University Press, 2020: 313-314.
2 Buchanan, Hacker and the State, 314.
3 Buchanan, Ben. The cybersecurity dilemma: Hacking, trust, and fear between nations. Oxford University Press, 2016: 51-74.
4 Kollars, Nina, and Jacquelyn Schneider. "Defending Forward: The 2018 Cyber Strategy is Here." War on the Rocks (2018): 123-134.
5 Kudankulam nuclear plant hack: What really happened and what danger did it pose? (scroll.in)
